<!DOCTYPE html>
<html lang="en-US">
  <head>
    <meta charset="utf-8">
    <meta name="viewport" content="width=device-width, user-scalable=no, initial-scale=1.0, maximum-scale=1.0, minimum-scale=1.0">
    <title>域内主机存活探测 | 狼组安全团队公开知识库</title>
    <meta name="description" content="">
    <meta name="generator" content="VuePress 1.7.1">
    <link rel="icon" href="/assets/logo.svg">
    <script type="text/javascript" src="/assets/js/push.js"></script>
    <meta name="description" content="致力于打造信息安全乌托邦">
    <meta name="referrer" content="never">
    <meta name="keywords" content="知识库,公开知识库,狼组,狼组安全团队知识库,knowledge">
    <link rel="preload" href="/assets/css/0.styles.32ca519c.css" as="style"><link rel="preload" href="/assets/js/app.f7464420.js" as="script"><link rel="preload" href="/assets/js/2.26207483.js" as="script"><link rel="preload" href="/assets/js/55.87aa8b5d.js" as="script"><link rel="prefetch" href="/assets/js/10.55514509.js"><link rel="prefetch" href="/assets/js/11.ec576042.js"><link rel="prefetch" href="/assets/js/12.a5584a2f.js"><link rel="prefetch" href="/assets/js/13.c9f84b2e.js"><link rel="prefetch" href="/assets/js/14.d2a5440c.js"><link rel="prefetch" href="/assets/js/15.2f271296.js"><link rel="prefetch" href="/assets/js/16.0895ce42.js"><link rel="prefetch" href="/assets/js/17.627e2976.js"><link rel="prefetch" href="/assets/js/18.73745a4c.js"><link rel="prefetch" href="/assets/js/19.19350186.js"><link rel="prefetch" href="/assets/js/20.e4eac589.js"><link rel="prefetch" href="/assets/js/21.fc0657ba.js"><link rel="prefetch" href="/assets/js/22.f4a1220f.js"><link rel="prefetch" href="/assets/js/23.c8cce92d.js"><link rel="prefetch" href="/assets/js/24.46225ec2.js"><link rel="prefetch" href="/assets/js/25.9b6d75e4.js"><link rel="prefetch" href="/assets/js/26.288f535e.js"><link rel="prefetch" href="/assets/js/27.865bdc75.js"><link rel="prefetch" href="/assets/js/28.f4224fef.js"><link rel="prefetch" href="/assets/js/29.6393a40b.js"><link rel="prefetch" href="/assets/js/3.a509f503.js"><link rel="prefetch" href="/assets/js/30.d5a49f97.js"><link rel="prefetch" href="/assets/js/31.eb3647df.js"><link rel="prefetch" href="/assets/js/32.7f48a571.js"><link rel="prefetch" href="/assets/js/33.1f374ffa.js"><link rel="prefetch" href="/assets/js/34.5a911179.js"><link rel="prefetch" href="/assets/js/35.d2bcc7ef.js"><link rel="prefetch" href="/assets/js/36.42e440bd.js"><link rel="prefetch" href="/assets/js/37.dedbbdea.js"><link rel="prefetch" href="/assets/js/38.d68d1f69.js"><link rel="prefetch" href="/assets/js/39.e278f860.js"><link rel="prefetch" href="/assets/js/4.35636da8.js"><link rel="prefetch" href="/assets/js/40.97f4e937.js"><link rel="prefetch" href="/assets/js/41.38630688.js"><link rel="prefetch" href="/assets/js/42.cae56aa5.js"><link rel="prefetch" href="/assets/js/43.61a04b16.js"><link rel="prefetch" href="/assets/js/44.5c6230f2.js"><link rel="prefetch" href="/assets/js/45.0f1355ae.js"><link rel="prefetch" href="/assets/js/46.c1906649.js"><link rel="prefetch" href="/assets/js/47.7ae220ce.js"><link rel="prefetch" href="/assets/js/48.59af224e.js"><link rel="prefetch" href="/assets/js/49.6a33a171.js"><link rel="prefetch" href="/assets/js/5.08ab40ee.js"><link rel="prefetch" href="/assets/js/50.f14601d2.js"><link rel="prefetch" href="/assets/js/51.f20841fd.js"><link rel="prefetch" href="/assets/js/52.fb0a5327.js"><link rel="prefetch" href="/assets/js/53.8013048c.js"><link rel="prefetch" href="/assets/js/54.d132c2f8.js"><link rel="prefetch" href="/assets/js/56.161f38ad.js"><link rel="prefetch" href="/assets/js/57.bd6a2ef2.js"><link rel="prefetch" href="/assets/js/58.8a69f15a.js"><link rel="prefetch" href="/assets/js/59.93c0e2de.js"><link rel="prefetch" href="/assets/js/6.fda5ce3a.js"><link rel="prefetch" href="/assets/js/60.10091d44.js"><link rel="prefetch" href="/assets/js/61.cd1e3b10.js"><link rel="prefetch" href="/assets/js/62.9c0ad8c5.js"><link rel="prefetch" href="/assets/js/63.4a8dd9d2.js"><link rel="prefetch" href="/assets/js/64.6bf3fede.js"><link rel="prefetch" href="/assets/js/65.7a2ccc50.js"><link rel="prefetch" href="/assets/js/66.874d563b.js"><link rel="prefetch" href="/assets/js/67.bb86eab2.js"><link rel="prefetch" href="/assets/js/68.c1db2a2b.js"><link rel="prefetch" href="/assets/js/69.8141480b.js"><link rel="prefetch" href="/assets/js/7.d1fe6bef.js"><link rel="prefetch" href="/assets/js/70.9fb74c80.js"><link rel="prefetch" href="/assets/js/71.d1e4e9ab.js"><link rel="prefetch" href="/assets/js/72.e6bf83fb.js"><link rel="prefetch" href="/assets/js/73.6dd6c980.js"><link rel="prefetch" href="/assets/js/74.3612ba47.js"><link rel="prefetch" href="/assets/js/75.6e1a2434.js"><link rel="prefetch" href="/assets/js/76.5bfa4bcc.js"><link rel="prefetch" href="/assets/js/77.784df031.js"><link rel="prefetch" href="/assets/js/78.aa94a0a0.js"><link rel="prefetch" href="/assets/js/79.c4e9a4f2.js"><link rel="prefetch" href="/assets/js/8.63fd05d7.js"><link rel="prefetch" href="/assets/js/80.8d47d1f7.js"><link rel="prefetch" href="/assets/js/81.1160b022.js"><link rel="prefetch" href="/assets/js/82.7d17e5c8.js"><link rel="prefetch" href="/assets/js/83.a2ff144a.js"><link rel="prefetch" href="/assets/js/84.53d29383.js"><link rel="prefetch" href="/assets/js/9.b49161a4.js">
    <link rel="stylesheet" href="/assets/css/0.styles.32ca519c.css">
  </head>
  <body>
    <div id="app" data-server-rendered="true"><div class="theme-container"><header class="navbar"><div class="ant-row"><div class="nav-button"><i aria-label="icon: bars" class="anticon anticon-bars"><svg viewBox="0 0 1024 1024" focusable="false" data-icon="bars" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M912 192H328c-4.4 0-8 3.6-8 8v56c0 4.4 3.6 8 8 8h584c4.4 0 8-3.6 8-8v-56c0-4.4-3.6-8-8-8zm0 284H328c-4.4 0-8 3.6-8 8v56c0 4.4 3.6 8 8 8h584c4.4 0 8-3.6 8-8v-56c0-4.4-3.6-8-8-8zm0 284H328c-4.4 0-8 3.6-8 8v56c0 4.4 3.6 8 8 8h584c4.4 0 8-3.6 8-8v-56c0-4.4-3.6-8-8-8zM104 228a56 56 0 1 0 112 0 56 56 0 1 0-112 0zm0 284a56 56 0 1 0 112 0 56 56 0 1 0-112 0zm0 284a56 56 0 1 0 112 0 56 56 0 1 0-112 0z"></path></svg></i> <span></span></div> <div class="ant-col ant-col-xs-24 ant-col-sm-24 ant-col-md-6 ant-col-lg-5 ant-col-xl-5 ant-col-xxl-4"><a href="/" class="router-link-active home-link"><img src="/assets/logo.svg" alt="狼组安全团队公开知识库" class="logo"> <span class="site-name">狼组安全团队公开知识库</span></a> <div class="search-box mobile-search"><input aria-label="Search" autocomplete="off" spellcheck="false" value=""> <!----></div></div> <div class="ant-col ant-col-xs-0 ant-col-sm-0 ant-col-md-18 ant-col-lg-19 ant-col-xl-19 ant-col-xxl-20"><div class="search-box"><input aria-label="Search" autocomplete="off" spellcheck="false" value=""> <!----></div> <nav class="nav-links can-hide"><ul role="menu" id="nav" class="ant-menu ant-menu-horizontal ant-menu-root ant-menu-light"><li role="menuitem" class="ant-menu-submenu ant-menu-submenu-horizontal ant-menu-overflowed-submenu" style="display:none;"><div aria-haspopup="true" class="ant-menu-submenu-title"><span>···</span><i class="ant-menu-submenu-arrow"></i></div></li><li role="menuitem" class="ant-menu-item"><a href="/" class="router-link-active">
          首页
        </a></li><li role="menuitem" class="ant-menu-submenu ant-menu-submenu-horizontal ant-menu-overflowed-submenu" style="display:none;"><div aria-haspopup="true" class="ant-menu-submenu-title"><span>···</span><i class="ant-menu-submenu-arrow"></i></div></li><li role="menuitem" class="ant-menu-item"><a href="/guide/">
          使用指南
        </a></li><li role="menuitem" class="ant-menu-submenu ant-menu-submenu-horizontal ant-menu-overflowed-submenu" style="display:none;"><div aria-haspopup="true" class="ant-menu-submenu-title"><span>···</span><i class="ant-menu-submenu-arrow"></i></div></li><li role="menuitem" class="ant-menu-item"><a href="/knowledge/" class="router-link-active">
          知识库
        </a></li><li role="menuitem" class="ant-menu-submenu ant-menu-submenu-horizontal ant-menu-overflowed-submenu" style="display:none;"><div aria-haspopup="true" class="ant-menu-submenu-title"><span>···</span><i class="ant-menu-submenu-arrow"></i></div></li><li role="menuitem" class="ant-menu-item"><a href="/opensource/">
          开源项目
        </a></li><li role="menuitem" class="ant-menu-submenu ant-menu-submenu-horizontal ant-menu-overflowed-submenu" style="visibility:hidden;position:absolute;"><div aria-haspopup="true" class="ant-menu-submenu-title"><span>···</span><i class="ant-menu-submenu-arrow"></i></div></li></ul> <a href="https://github.com/wgpsec" target="_blank" rel="noopener noreferrer" class="repo-link"><i aria-label="icon: github" class="anticon anticon-github"><svg viewBox="64 64 896 896" focusable="false" data-icon="github" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M511.6 76.3C264.3 76.2 64 276.4 64 523.5 64 718.9 189.3 885 363.8 946c23.5 5.9 19.9-10.8 19.9-22.2v-77.5c-135.7 15.9-141.2-73.9-150.3-88.9C215 726 171.5 718 184.5 703c30.9-15.9 62.4 4 98.9 57.9 26.4 39.1 77.9 32.5 104 26 5.7-23.5 17.9-44.5 34.7-60.8-140.6-25.2-199.2-111-199.2-213 0-49.5 16.3-95 48.3-131.7-20.4-60.5 1.9-112.3 4.9-120 58.1-5.2 118.5 41.6 123.2 45.3 33-8.9 70.7-13.6 112.9-13.6 42.4 0 80.2 4.9 113.5 13.9 11.3-8.6 67.3-48.8 121.3-43.9 2.9 7.7 24.7 58.3 5.5 118 32.4 36.8 48.9 82.7 48.9 132.3 0 102.2-59 188.1-200 212.9a127.5 127.5 0 0 1 38.1 91v112.5c.8 9 0 17.9 15 17.9 177.1-59.7 304.6-227 304.6-424.1 0-247.2-200.4-447.3-447.5-447.3z"></path></svg></i></a></nav></div></div> <!----></header> <aside class="sidebar"><div><div class="promo"><div id="promo_3"><div class="promo_title">赞助商</div> <button type="button" class="ant-btn ant-btn-primary ant-btn-background-ghost"><span>成为赞助商</span></button></div></div> <div role="separator" id="reset-margin" class="ant-divider ant-divider-horizontal ant-divider-dashed"></div></div> <ul class="sidebar-links"><li><a href="/knowledge/" aria-current="page" title="知识库广告位招租" class="sidebar-link">知识库广告位招租</a></li><li><section class="sidebar-group collapsable depth-0"><p class="sidebar-heading"><span>CTF</span> <span class="arrow right"><i aria-label="icon: down" class="anticon anticon-down"><svg viewBox="64 64 896 896" focusable="false" data-icon="down" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M884 256h-75c-5.1 0-9.9 2.5-12.9 6.6L512 654.2 227.9 262.6c-3-4.1-7.8-6.6-12.9-6.6h-75c-6.5 0-10.3 7.4-6.5 12.7l352.6 486.1c12.8 17.6 39 17.6 51.7 0l352.6-486.1c3.9-5.3.1-12.7-6.4-12.7z"></path></svg></i></span></p> <!----></section></li><li><section class="sidebar-group collapsable depth-0"><p class="sidebar-heading"><span>基础知识</span> <span class="arrow right"><i aria-label="icon: down" class="anticon anticon-down"><svg viewBox="64 64 896 896" focusable="false" data-icon="down" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M884 256h-75c-5.1 0-9.9 2.5-12.9 6.6L512 654.2 227.9 262.6c-3-4.1-7.8-6.6-12.9-6.6h-75c-6.5 0-10.3 7.4-6.5 12.7l352.6 486.1c12.8 17.6 39 17.6 51.7 0l352.6-486.1c3.9-5.3.1-12.7-6.4-12.7z"></path></svg></i></span></p> <!----></section></li><li><section class="sidebar-group collapsable depth-0"><p class="sidebar-heading"><span>工具手册</span> <span class="arrow right"><i aria-label="icon: down" class="anticon anticon-down"><svg viewBox="64 64 896 896" focusable="false" data-icon="down" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M884 256h-75c-5.1 0-9.9 2.5-12.9 6.6L512 654.2 227.9 262.6c-3-4.1-7.8-6.6-12.9-6.6h-75c-6.5 0-10.3 7.4-6.5 12.7l352.6 486.1c12.8 17.6 39 17.6 51.7 0l352.6-486.1c3.9-5.3.1-12.7-6.4-12.7z"></path></svg></i></span></p> <!----></section></li><li><section class="sidebar-group collapsable depth-0"><p class="sidebar-heading"><span>Web安全</span> <span class="arrow right"><i aria-label="icon: down" class="anticon anticon-down"><svg viewBox="64 64 896 896" focusable="false" data-icon="down" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M884 256h-75c-5.1 0-9.9 2.5-12.9 6.6L512 654.2 227.9 262.6c-3-4.1-7.8-6.6-12.9-6.6h-75c-6.5 0-10.3 7.4-6.5 12.7l352.6 486.1c12.8 17.6 39 17.6 51.7 0l352.6-486.1c3.9-5.3.1-12.7-6.4-12.7z"></path></svg></i></span></p> <!----></section></li><li><section class="sidebar-group collapsable depth-0"><p class="sidebar-heading open"><span>攻防对抗</span> <span class="arrow down"><i aria-label="icon: down" class="anticon anticon-down"><svg viewBox="64 64 896 896" focusable="false" data-icon="down" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M884 256h-75c-5.1 0-9.9 2.5-12.9 6.6L512 654.2 227.9 262.6c-3-4.1-7.8-6.6-12.9-6.6h-75c-6.5 0-10.3 7.4-6.5 12.7l352.6 486.1c12.8 17.6 39 17.6 51.7 0l352.6-486.1c3.9-5.3.1-12.7-6.4-12.7z"></path></svg></i></span></p> <ul class="sidebar-links sidebar-group-items"><li><a href="/knowledge/hw/" aria-current="page" title="分类简介" class="sidebar-link">分类简介</a></li><li><a href="/knowledge/hw/border-info.html" title="互联网边界打点" class="sidebar-link">互联网边界打点</a></li><li><a href="/knowledge/hw/agent.html" title="构建通道漫游内网" class="sidebar-link">构建通道漫游内网</a></li><li><a href="/knowledge/hw/host-survival-domain.html" aria-current="page" title="域内主机存活探测" class="active sidebar-link">域内主机存活探测</a></li><li><a href="/knowledge/hw/intradomain-port.html" title="域内主机端口探测方法" class="sidebar-link">域内主机端口探测方法</a></li><li><a href="/knowledge/hw/to-root.html" title="权限提升" class="sidebar-link">权限提升</a></li><li><a href="/knowledge/hw/hold-root.html" title="权限维持" class="sidebar-link">权限维持</a></li><li><a href="/knowledge/hw/transverse.html" title="内网横向移动技巧" class="sidebar-link">内网横向移动技巧</a></li><li><a href="/knowledge/hw/log-action.html" title="日志处理" class="sidebar-link">日志处理</a></li><li><a href="/knowledge/hw/2020-defend-tips.html" title="【防守方】2020攻防演练防守心得" class="sidebar-link">【防守方】2020攻防演练防守心得</a></li><li><a href="/knowledge/hw/windows-emergency-response.html" title="【防守方】Windows应急响应" class="sidebar-link">【防守方】Windows应急响应</a></li><li><a href="/knowledge/hw/linux-emergency-response.html" title="【防守方】Linux应急响应" class="sidebar-link">【防守方】Linux应急响应</a></li><li><a href="/knowledge/hw/kill-webshell.html" title="【防守方】Webshell排查" class="sidebar-link">【防守方】Webshell排查</a></li><li><a href="/knowledge/hw/purple-team.html" title="【裁判方】紫队视角看2020年络网络攻防实战演习" class="sidebar-link">【裁判方】紫队视角看2020年络网络攻防实战演习</a></li></ul></section></li><li><section class="sidebar-group collapsable depth-0"><p class="sidebar-heading"><span>代码审计</span> <span class="arrow right"><i aria-label="icon: down" class="anticon anticon-down"><svg viewBox="64 64 896 896" focusable="false" data-icon="down" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M884 256h-75c-5.1 0-9.9 2.5-12.9 6.6L512 654.2 227.9 262.6c-3-4.1-7.8-6.6-12.9-6.6h-75c-6.5 0-10.3 7.4-6.5 12.7l352.6 486.1c12.8 17.6 39 17.6 51.7 0l352.6-486.1c3.9-5.3.1-12.7-6.4-12.7z"></path></svg></i></span></p> <!----></section></li></ul></aside> <main class="page"> <div class="theme-antdocs-content content__default"><h1 id="前言">前言 <a href="#前言" class="header-anchor">#</a></h1> <blockquote><p>注：本文中的工具均来源自互联网，后门自查。工具可在pan.wgpsec.org 下载</p></blockquote> <p>在进入目标域后，对域内主机进行存活探测是不可或缺的一步。</p> <h2 id="_1、ping">1、ping <a href="#_1、ping" class="header-anchor">#</a></h2> <p>使用 ping 进行检测的优点是不容易触发检测规则，缺点是速度较慢，如果目标开启了禁止 ping 的策略，那这个方法就 gg 了。</p> <h3 id="windows">Windows <a href="#windows" class="header-anchor">#</a></h3> <div class="language- line-numbers-mode"><pre class="language-text"><code>for /l %i in (1,1,255) do @ping 192.168.7.%i -w 1 -n 1|find /i &quot;ttl=&quot;
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><div class="language- line-numbers-mode"><pre class="language-text"><code>C:\Users\daniel10&gt;for /l %i in (1,1,255) do @ping 192.168.7.%i -w 1 -n 1|find /i &quot;ttl=&quot;
来自 192.168.7.7 的回复: 字节=32 时间&lt;1ms TTL=128
来自 192.168.7.107 的回复: 字节=32 时间=1ms TTL=64
来自 192.168.7.110 的回复: 字节=32 时间&lt;1ms TTL=128
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br></div></div><h3 id="linux">Linux <a href="#linux" class="header-anchor">#</a></h3> <div class="language- line-numbers-mode"><pre class="language-text"><code>for k in $( seq 1 255);do ping -c 1 192.168.7.$k|grep &quot;ttl&quot;|awk -F &quot;[ :]+&quot; '{print $4}'; done
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><div class="language- line-numbers-mode"><pre class="language-text"><code>teamssix@localhost:~#  for k in $( seq 1 255);do ping -c 1 192.168.7.$k|grep &quot;ttl&quot;|awk -F &quot;[ :]+&quot; '{print $4}'; done
192.168.7.7
192.168.7.107
192.168.7.110
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br></div></div><h3 id="vbs">VBS <a href="#vbs" class="header-anchor">#</a></h3> <div class="language- line-numbers-mode"><pre class="language-text"><code>strSubNet = &quot;192.168.7.&quot;  
Set objFSO= CreateObject(&quot;Scripting.FileSystemObject&quot;)  
Set objTS = objfso.CreateTextFile(&quot;C:\Result.txt&quot;)   
For i = 1 To 254  
strComputer = strSubNet &amp; i  
blnResult = Ping(strComputer)  
If blnResult = True Then  
objTS.WriteLine strComputer &amp; &quot; is alived ! :) &quot;  
End If  
Next   
objTS.Close  
WScript.Echo &quot;All Ping Scan , All Done ! :) &quot;    
Function Ping(strComputer)  
Set objWMIService = GetObject(&quot;winmgmts:\\.\root\cimv2&quot;) 
Set colItems = objWMIService.ExecQuery(&quot;Select * From Win32_PingStatus Where Address='&quot; &amp; strComputer &amp; &quot;'&quot;) 
For Each objItem In colItems  
Select case objItem.StatusCode  
Case 0  
Ping = True  
Case Else  
Ping = False  
End select  
Exit For  
Next  
End Function
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br><span class="line-number">7</span><br><span class="line-number">8</span><br><span class="line-number">9</span><br><span class="line-number">10</span><br><span class="line-number">11</span><br><span class="line-number">12</span><br><span class="line-number">13</span><br><span class="line-number">14</span><br><span class="line-number">15</span><br><span class="line-number">16</span><br><span class="line-number">17</span><br><span class="line-number">18</span><br><span class="line-number">19</span><br><span class="line-number">20</span><br><span class="line-number">21</span><br><span class="line-number">22</span><br><span class="line-number">23</span><br><span class="line-number">24</span><br><span class="line-number">25</span><br></div></div><h2 id="_2、powershell">2、PowerShell <a href="#_2、powershell" class="header-anchor">#</a></h2> <h3 id="tspingsweep">TSPingSweep <a href="#tspingsweep" class="header-anchor">#</a></h3> <p>PowerShell TSPingSweep 扫描脚本下载地址：</p> <p><a href="https://raw.githubusercontent.com/dwj7738/My-Powershell-Repository/master/Scripts/Invoke-TSPingSweep.ps1" target="_blank" rel="noopener noreferrer">https://raw.githubusercontent.com/dwj7738/My-Powershell-Repository/master/Scripts/Invoke-TSPingSweep.ps1<span><svg xmlns="http://www.w3.org/2000/svg" aria-hidden="true" focusable="false" x="0px" y="0px" viewBox="0 0 100 100" width="15" height="15" class="icon outbound"><path fill="currentColor" d="M18.8,85.1h56l0,0c2.2,0,4-1.8,4-4v-32h-8v28h-48v-48h28v-8h-32l0,0c-2.2,0-4,1.8-4,4v56C14.8,83.3,16.6,85.1,18.8,85.1z"></path> <polygon fill="currentColor" points="45.7,48.7 51.3,54.3 77.2,28.5 77.2,37.2 85.2,37.2 85.2,14.9 62.8,14.9 62.8,22.9 71.5,22.9"></polygon></svg> <span class="sr-only">(opens new window)</span></span></a></p> <p>[狼盘下载 Invoke-TSPingSweep.ps1](https://pan.wgpsec.org/d/public/4-后渗透 &amp; 域渗透/主机发现/Invoke-TSPingSweep.ps1)</p> <div class="language- line-numbers-mode"><pre class="language-text"><code>powershell.exe -exec bypass -Command &quot;Import-Module ./Invoke-TSPingSweep.ps1; Invoke-TSPingSweep -StartAddress 192.168.7.1 -EndAddress 192.168.7.254 -ResolveHost -ScanPort -Port 445,135&quot;
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><p><img src="https://teamssix.oss-cn-hangzhou.aliyuncs.com/Snipaste_2021-02-23_21-02-52.png" alt=""></p> <div class="language- line-numbers-mode"><pre class="language-text"><code>C:\Users\daniel10&gt;powershell.exe -exec bypass -Command &quot;Import-Module ./Invoke-TSPingSweep.ps1; Invoke-TSPingSweep -StartAddress 192.168.7.1 -EndAddress 192.168.7.254 -ResolveHost -ScanPort -Port 445,135&quot;
IPAddress     HostName             Ports
---------     --------             -----
192.168.7.7   dc.teamssix.com      {445, 135}
192.168.7.107 DANIEL7.teamssix.com {445, 135}
192.168.7.110 daniel10.teamssix... {445, 135}
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br></div></div><h3 id="arpscan">ARPScan <a href="#arpscan" class="header-anchor">#</a></h3> <p>PowerShell ARPScan 扫描脚本下载地址：<a href="https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/situational_awareness/network/Invoke-ARPScan.ps1" target="_blank" rel="noopener noreferrer">https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/situational_awareness/network/Invoke-ARPScan.ps1<span><svg xmlns="http://www.w3.org/2000/svg" aria-hidden="true" focusable="false" x="0px" y="0px" viewBox="0 0 100 100" width="15" height="15" class="icon outbound"><path fill="currentColor" d="M18.8,85.1h56l0,0c2.2,0,4-1.8,4-4v-32h-8v28h-48v-48h28v-8h-32l0,0c-2.2,0-4,1.8-4,4v56C14.8,83.3,16.6,85.1,18.8,85.1z"></path> <polygon fill="currentColor" points="45.7,48.7 51.3,54.3 77.2,28.5 77.2,37.2 85.2,37.2 85.2,14.9 62.8,14.9 62.8,22.9 71.5,22.9"></polygon></svg> <span class="sr-only">(opens new window)</span></span></a></p> <p>[狼盘下载 Invoke-ARPScan.ps1](https://pan.wgpsec.org/d/public/4-后渗透 &amp; 域渗透/主机发现/Invoke-ARPScan.ps1)</p> <div class="language- line-numbers-mode"><pre class="language-text"><code>powershell.exe -exec bypass -Command &quot;Import-Module ./Invoke-ARPScan.ps1; Invoke-ARPScan -CIDR 192.168.7.0/24&quot;
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><div class="language- line-numbers-mode"><pre class="language-text"><code>C:\Users\daniel10&gt;powershell.exe -exec bypass -Command &quot;Import-Module ./Invoke-ARPScan.ps1; Invoke-ARPScan -CIDR 192.168.7.0/24&quot;
MAC               Address
---               -------
16:7D:DA:D7:8F:64 192.168.7.1
00:0C:29:1D:82:CF 192.168.7.7
00:0C:29:A9:62:98 192.168.7.107
00:0C:29:DC:01:0D 192.168.7.110
00:0C:29:DC:01:0D 192.168.7.255
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br><span class="line-number">7</span><br><span class="line-number">8</span><br></div></div><h2 id="_3、arp-scan">3、arp-scan <a href="#_3、arp-scan" class="header-anchor">#</a></h2> <p>arp-scan 使用 ARP 协议进行探测。arp-scan Windows 下载地址：<a href="https://github.com/QbsuranAlang/arp-scan-windows-" target="_blank" rel="noopener noreferrer">https://github.com/QbsuranAlang/arp-scan-windows-<span><svg xmlns="http://www.w3.org/2000/svg" aria-hidden="true" focusable="false" x="0px" y="0px" viewBox="0 0 100 100" width="15" height="15" class="icon outbound"><path fill="currentColor" d="M18.8,85.1h56l0,0c2.2,0,4-1.8,4-4v-32h-8v28h-48v-48h28v-8h-32l0,0c-2.2,0-4,1.8-4,4v56C14.8,83.3,16.6,85.1,18.8,85.1z"></path> <polygon fill="currentColor" points="45.7,48.7 51.3,54.3 77.2,28.5 77.2,37.2 85.2,37.2 85.2,14.9 62.8,14.9 62.8,22.9 71.5,22.9"></polygon></svg> <span class="sr-only">(opens new window)</span></span></a></p> <p><a href="https://pan.wgpsec.org/public/4-%E5%90%8E%E6%B8%97%E9%80%8F%20&amp;%20%E5%9F%9F%E6%B8%97%E9%80%8F/%E4%B8%BB%E6%9C%BA%E5%8F%91%E7%8E%B0/arp-scan" target="_blank" rel="noopener noreferrer">狼盘下载<span><svg xmlns="http://www.w3.org/2000/svg" aria-hidden="true" focusable="false" x="0px" y="0px" viewBox="0 0 100 100" width="15" height="15" class="icon outbound"><path fill="currentColor" d="M18.8,85.1h56l0,0c2.2,0,4-1.8,4-4v-32h-8v28h-48v-48h28v-8h-32l0,0c-2.2,0-4,1.8-4,4v56C14.8,83.3,16.6,85.1,18.8,85.1z"></path> <polygon fill="currentColor" points="45.7,48.7 51.3,54.3 77.2,28.5 77.2,37.2 85.2,37.2 85.2,14.9 62.8,14.9 62.8,22.9 71.5,22.9"></polygon></svg> <span class="sr-only">(opens new window)</span></span></a></p> <div class="language- line-numbers-mode"><pre class="language-text"><code>C:\Users\daniel10&gt;arp-scan.exe -t 192.168.7.0/24
Reply that 16:7D:DA:D7:8F:64 is 192.168.7.1 in 11.278300
Reply that 00:0C:29:1D:82:CF is 192.168.7.7 in 16.140500
Reply that 00:0C:29:A9:62:98 is 192.168.7.107 in 15.233500
Reply that 00:0C:29:DC:01:0D is 192.168.7.110 in 0.080700
Reply that 00:0C:29:DC:01:0D is 192.168.7.255 in 0.071500
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br></div></div><h2 id="_4、arp-ping">4、arp-ping <a href="#_4、arp-ping" class="header-anchor">#</a></h2> <p>Arp-ping 基于 arp 协议，它可以 “ping” 受防火墙保护的主机，下载地址：<a href="https://www.elifulkerson.com/projects/arp-ping.php" target="_blank" rel="noopener noreferrer">https://www.elifulkerson.com/projects/arp-ping.php<span><svg xmlns="http://www.w3.org/2000/svg" aria-hidden="true" focusable="false" x="0px" y="0px" viewBox="0 0 100 100" width="15" height="15" class="icon outbound"><path fill="currentColor" d="M18.8,85.1h56l0,0c2.2,0,4-1.8,4-4v-32h-8v28h-48v-48h28v-8h-32l0,0c-2.2,0-4,1.8-4,4v56C14.8,83.3,16.6,85.1,18.8,85.1z"></path> <polygon fill="currentColor" points="45.7,48.7 51.3,54.3 77.2,28.5 77.2,37.2 85.2,37.2 85.2,14.9 62.8,14.9 62.8,22.9 71.5,22.9"></polygon></svg> <span class="sr-only">(opens new window)</span></span></a></p> <p>[狼盘下载](https://pan.wgpsec.org/d/public/4-后渗透 &amp; 域渗透/主机发现/arp-ping.exe)</p> <p>由于 arp-ping 只能一次 ping 一台主机，但在测试过程中肯定不能一台一台的 ping ，所以这里参考上面的 ping 脚本写了一个 arp-ping 循环 ping 主机的脚本。</p> <div class="language- line-numbers-mode"><pre class="language-text"><code>for /l %i in (1,1,255) do @arp-ping.exe 192.168.7.%i -w 1 -n 1|find /i &quot;Reply&quot;
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><div class="language- line-numbers-mode"><pre class="language-text"><code>C:\Users\daniel10&gt;for /l %i in (1,1,255) do @arp-ping.exe 192.168.7.%i -w 1 -n 1|find /i &quot;Reply&quot;
Reply that 16:7D:DA:D7:8F:64 is 192.168.7.1 in 2.233ms
Reply that 00:0C:29:A9:62:98 is 192.168.7.107 in 16.857ms
Reply that 00:0C:29:DC:01:0D is 192.168.7.110 in 0.205ms
Reply that 00:0C:29:DC:01:0D is 192.168.7.255 in 0.200ms
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br></div></div><h2 id="_5、empire">5、Empire <a href="#_5、empire" class="header-anchor">#</a></h2> <p>Empire 内置了arpscan 模块，该模块可利用 arp 协议对内网主机进行探测。将目标主机上线 Empire 后，使用 powershell/situational_awareness/network/arpscan 模块，设置扫描范围即可，具体如下：</p> <div class="language- line-numbers-mode"><pre class="language-text"><code>(Empire: listeners) &gt; agents
[*] Active agents:
 Name     La Internal IP     Machine Name      Username                Process            PID    Delay    Last Seen
 ----     -- -----------     ------------      --------                -------            ---    -----    ---------
 APDGSW9X ps 192.168.7.7     DC                *TEAMSSIX\administrator powershell         3648   5/0.0    2021-02-23 20:43:27
(Empire: agents) &gt; usemodule powershell/situational_awareness/network/arpscan
(Empire: powershell/situational_awareness/network/arpscan) &gt; set Agent APDGSW9X
(Empire: powershell/situational_awareness/network/arpscan) &gt; set CIDR 192.168.7.0/24
(Empire: powershell/situational_awareness/network/arpscan) &gt; execute
MAC               Address      
---               -------      
16:7D:DA:D7:8F:64 192.168.7.1  
00:0C:29:1D:82:CF 192.168.7.7  
00:0C:29:A9:62:98 192.168.7.107
00:0C:29:DC:01:0D 192.168.7.110
00:0C:29:1D:82:CF 192.168.7.255
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br><span class="line-number">7</span><br><span class="line-number">8</span><br><span class="line-number">9</span><br><span class="line-number">10</span><br><span class="line-number">11</span><br><span class="line-number">12</span><br><span class="line-number">13</span><br><span class="line-number">14</span><br><span class="line-number">15</span><br><span class="line-number">16</span><br></div></div><h2 id="_6、nbtscan">6、nbtscan <a href="#_6、nbtscan" class="header-anchor">#</a></h2> <p>nbtscan 有 Windows 和 Linux 两个版本，使用 netbios 协议扫描本地或远程 TCP/IP 网络上的开放 NetBIOS 名称服务器。</p> <p>nbtscan 下载地址：<a href="http://www.unixwiz.net/tools/nbtscan.html" target="_blank" rel="noopener noreferrer">http://www.unixwiz.net/tools/nbtscan.html<span><svg xmlns="http://www.w3.org/2000/svg" aria-hidden="true" focusable="false" x="0px" y="0px" viewBox="0 0 100 100" width="15" height="15" class="icon outbound"><path fill="currentColor" d="M18.8,85.1h56l0,0c2.2,0,4-1.8,4-4v-32h-8v28h-48v-48h28v-8h-32l0,0c-2.2,0-4,1.8-4,4v56C14.8,83.3,16.6,85.1,18.8,85.1z"></path> <polygon fill="currentColor" points="45.7,48.7 51.3,54.3 77.2,28.5 77.2,37.2 85.2,37.2 85.2,14.9 62.8,14.9 62.8,22.9 71.5,22.9"></polygon></svg> <span class="sr-only">(opens new window)</span></span></a></p> <p><a href="https://pan.wgpsec.org/public/4-%E5%90%8E%E6%B8%97%E9%80%8F%20&amp;%20%E5%9F%9F%E6%B8%97%E9%80%8F/%E4%B8%BB%E6%9C%BA%E5%8F%91%E7%8E%B0/nbtscan" target="_blank" rel="noopener noreferrer">狼盘下载<span><svg xmlns="http://www.w3.org/2000/svg" aria-hidden="true" focusable="false" x="0px" y="0px" viewBox="0 0 100 100" width="15" height="15" class="icon outbound"><path fill="currentColor" d="M18.8,85.1h56l0,0c2.2,0,4-1.8,4-4v-32h-8v28h-48v-48h28v-8h-32l0,0c-2.2,0-4,1.8-4,4v56C14.8,83.3,16.6,85.1,18.8,85.1z"></path> <polygon fill="currentColor" points="45.7,48.7 51.3,54.3 77.2,28.5 77.2,37.2 85.2,37.2 85.2,14.9 62.8,14.9 62.8,22.9 71.5,22.9"></polygon></svg> <span class="sr-only">(opens new window)</span></span></a></p> <div class="language- line-numbers-mode"><pre class="language-text"><code>C:\Users\daniel10&gt;nbtscan.exe 192.168.7.0/24
192.168.7.1     \DP
192.168.7.7     TEAMSSIX\DC                     SHARING DC
192.168.7.107   TEAMSSIX\DANIEL7                SHARING
*timeout (normal end of scan)
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br></div></div><h2 id="_7、unicornscan">7、unicornscan <a href="#_7、unicornscan" class="header-anchor">#</a></h2> <p>unicornscan 使用 UDP 协议，在 kali 下可以直接 apt-get 进行安装，这个使用起来感觉有点慢。</p> <div class="language- line-numbers-mode"><pre class="language-text"><code>teamssix@localhost:~# unicornscan -mU 192.168.7.7
UDP open	          domain[   53]		from 192.168.7.7  ttl 127

teamssix@localhost:~# for k in $( seq 1 255);do unicornscan -mU 192.168.7.$k|grep &quot;open&quot;|awk -F &quot;[ :]+&quot; '{print $5}'; done
192.168.7.1
192.168.7.7
192.168.7.107
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br><span class="line-number">7</span><br></div></div><h2 id="_8、scanline">8、scanline <a href="#_8、scanline" class="header-anchor">#</a></h2> <p>McAfee 出品，推荐 win 下使用（管理员执行），scanline 项目地址：<a href="www.mcafee.com/us/downloads/free-tools/termsofuse.aspx">www.mcafee.com/us/downloads/free-tools/termsofuse.aspx</a></p> <p>但是项目地址的下载按钮貌似失效，其他的下载地址：[狼盘下载](https://pan.wgpsec.org/d/public/4-后渗透 &amp; 域渗透/信息收集/端口探测/ScanLine.exe)</p> <div class="language- line-numbers-mode"><pre class="language-text"><code>C:\Users\daniel10&gt;scanline.exe -n 192.168.7.0-255
ScanLine (TM) 1.01
Copyright (c) Foundstone, Inc. 2002
http://www.foundstone.com
Scan of 256 IPs started at Tue Feb 23 22:07:40 2021
-------------------------------------------------------------------------------
192.168.7.7
Responded in 0 ms.
0 hops away
Responds with ICMP unreachable: No
-------------------------------------------------------------------------------
192.168.7.107
Responded in 0 ms.
0 hops away
Responds with ICMP unreachable: No
-------------------------------------------------------------------------------
192.168.7.110
Responded in 0 ms.
0 hops away
Responds with ICMP unreachable: No
-------------------------------------------------------------------------------
Scan finished at Tue Feb 23 22:07:49 2021
3 IPs and 0 ports scanned in 0 hours 0 mins 9.16 secs
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br><span class="line-number">7</span><br><span class="line-number">8</span><br><span class="line-number">9</span><br><span class="line-number">10</span><br><span class="line-number">11</span><br><span class="line-number">12</span><br><span class="line-number">13</span><br><span class="line-number">14</span><br><span class="line-number">15</span><br><span class="line-number">16</span><br><span class="line-number">17</span><br><span class="line-number">18</span><br><span class="line-number">19</span><br><span class="line-number">20</span><br><span class="line-number">21</span><br><span class="line-number">22</span><br><span class="line-number">23</span><br></div></div><h2 id="_9、telnet">9、telnet <a href="#_9、telnet" class="header-anchor">#</a></h2> <p>通过 telnet 探测 445 端口或者其他端口判断主机存活。</p> <div class="language- line-numbers-mode"><pre class="language-text"><code>for /l %a in (1,1,254) do start /min /low telnet 192.168.7.%a 445
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><h2 id="_10、tcping">10、tcping <a href="#_10、tcping" class="header-anchor">#</a></h2> <p>tcping.exe 是一个命令行程序，其操作类似于“ping”，但它通过 TCP 工作，下载地址：<a href="https://elifulkerson.com/projects/tcping.php" target="_blank" rel="noopener noreferrer">https://elifulkerson.com/projects/tcping.php<span><svg xmlns="http://www.w3.org/2000/svg" aria-hidden="true" focusable="false" x="0px" y="0px" viewBox="0 0 100 100" width="15" height="15" class="icon outbound"><path fill="currentColor" d="M18.8,85.1h56l0,0c2.2,0,4-1.8,4-4v-32h-8v28h-48v-48h28v-8h-32l0,0c-2.2,0-4,1.8-4,4v56C14.8,83.3,16.6,85.1,18.8,85.1z"></path> <polygon fill="currentColor" points="45.7,48.7 51.3,54.3 77.2,28.5 77.2,37.2 85.2,37.2 85.2,14.9 62.8,14.9 62.8,22.9 71.5,22.9"></polygon></svg> <span class="sr-only">(opens new window)</span></span></a></p> <p><a href="https://pan.wgpsec.org/public/4-%E5%90%8E%E6%B8%97%E9%80%8F%20&amp;%20%E5%9F%9F%E6%B8%97%E9%80%8F/%E4%B8%BB%E6%9C%BA%E5%8F%91%E7%8E%B0/tcping" target="_blank" rel="noopener noreferrer">狼盘下载<span><svg xmlns="http://www.w3.org/2000/svg" aria-hidden="true" focusable="false" x="0px" y="0px" viewBox="0 0 100 100" width="15" height="15" class="icon outbound"><path fill="currentColor" d="M18.8,85.1h56l0,0c2.2,0,4-1.8,4-4v-32h-8v28h-48v-48h28v-8h-32l0,0c-2.2,0-4,1.8-4,4v56C14.8,83.3,16.6,85.1,18.8,85.1z"></path> <polygon fill="currentColor" points="45.7,48.7 51.3,54.3 77.2,28.5 77.2,37.2 85.2,37.2 85.2,14.9 62.8,14.9 62.8,22.9 71.5,22.9"></polygon></svg> <span class="sr-only">(opens new window)</span></span></a></p> <div class="language- line-numbers-mode"><pre class="language-text"><code>C:\Users\daniel10&gt;tcping.exe -n 1 192.168.7.7 445

Probing 192.168.7.7:445/tcp - Port is open - time=1.719ms
Ping statistics for 192.168.7.7:445
     1 probes sent.
     1 successful, 0 failed.  (0.00% fail)
Approximate trip times in milli-seconds:
     Minimum = 1.719ms, Maximum = 1.719ms, Average = 1.719ms
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br><span class="line-number">7</span><br><span class="line-number">8</span><br></div></div><h2 id="_11、cping">11、cping <a href="#_11、cping" class="header-anchor">#</a></h2> <p>k8 团队出品，下载地址：<a href="https://pan.wgpsec.org/public/4-%E5%90%8E%E6%B8%97%E9%80%8F%20&amp;%20%E5%9F%9F%E6%B8%97%E9%80%8F/%E4%B8%BB%E6%9C%BA%E5%8F%91%E7%8E%B0/cping3.0" target="_blank" rel="noopener noreferrer">狼盘下载<span><svg xmlns="http://www.w3.org/2000/svg" aria-hidden="true" focusable="false" x="0px" y="0px" viewBox="0 0 100 100" width="15" height="15" class="icon outbound"><path fill="currentColor" d="M18.8,85.1h56l0,0c2.2,0,4-1.8,4-4v-32h-8v28h-48v-48h28v-8h-32l0,0c-2.2,0-4,1.8-4,4v56C14.8,83.3,16.6,85.1,18.8,85.1z"></path> <polygon fill="currentColor" points="45.7,48.7 51.3,54.3 77.2,28.5 77.2,37.2 85.2,37.2 85.2,14.9 62.8,14.9 62.8,22.9 71.5,22.9"></polygon></svg> <span class="sr-only">(opens new window)</span></span></a></p> <p>下载解压后可以看到很多个 exe 文件，其分别代表了.net 编译版本，编译版本对应系统如下：</p> <div class="language- line-numbers-mode"><pre class="language-text"><code>XP/2003(已淘汰,用户少,使用的大部分也会装.net,因为好多app需要连驱动都要.net,具体看安装版本一般2.0)

Vista       2.0(基本上也没多少用户)
Win7/2008   2.0 3.0 3.5
Win8/2012   4.0
Win8.1      4.0 4.5
Win10/2016  4.0 4.6 (4.5未测应该也行)
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br><span class="line-number">7</span><br></div></div><div class="language- line-numbers-mode"><pre class="language-text"><code>C:\Users\daniel10&gt;cping40.exe scan osver 192.168.7.1 192.168.7.255
Scan OS version
192.168.7.1---192.168.7.255

Segment: 192.168.7.0
=============================================
IP              MAC               HostName        OSver
192.168.7.7     00-0C-29-1D-82-CF dc.teamssix.com [Win 2008 R2 Datacenter 7601 SP 1]
192.168.7.110   00-0C-29-DC-01-0D daniel10.teamssix.com []
192.168.7.107   00-0C-29-A9-62-98 daniel7.teamssix.com [Win 7 Professional 7601 SP 1]
=============================================
Count:3
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br><span class="line-number">7</span><br><span class="line-number">8</span><br><span class="line-number">9</span><br><span class="line-number">10</span><br><span class="line-number">11</span><br><span class="line-number">12</span><br></div></div><h2 id="_12、fscan">12、fscan <a href="#_12、fscan" class="header-anchor">#</a></h2> <p>影舞者大佬写的一款工具，使用起来感觉很是方便，工具下载地址：<a href="https://github.com/shadow1ng/fscan" target="_blank" rel="noopener noreferrer">https://github.com/shadow1ng/fscan<span><svg xmlns="http://www.w3.org/2000/svg" aria-hidden="true" focusable="false" x="0px" y="0px" viewBox="0 0 100 100" width="15" height="15" class="icon outbound"><path fill="currentColor" d="M18.8,85.1h56l0,0c2.2,0,4-1.8,4-4v-32h-8v28h-48v-48h28v-8h-32l0,0c-2.2,0-4,1.8-4,4v56C14.8,83.3,16.6,85.1,18.8,85.1z"></path> <polygon fill="currentColor" points="45.7,48.7 51.3,54.3 77.2,28.5 77.2,37.2 85.2,37.2 85.2,14.9 62.8,14.9 62.8,22.9 71.5,22.9"></polygon></svg> <span class="sr-only">(opens new window)</span></span></a></p> <p><a href="https://pan.wgpsec.org/public/4-%E5%90%8E%E6%B8%97%E9%80%8F%20&amp;%20%E5%9F%9F%E6%B8%97%E9%80%8F/%E4%BF%A1%E6%81%AF%E6%94%B6%E9%9B%86/%E7%AB%AF%E5%8F%A3%E6%8E%A2%E6%B5%8B/fscan" target="_blank" rel="noopener noreferrer">狼盘下载<span><svg xmlns="http://www.w3.org/2000/svg" aria-hidden="true" focusable="false" x="0px" y="0px" viewBox="0 0 100 100" width="15" height="15" class="icon outbound"><path fill="currentColor" d="M18.8,85.1h56l0,0c2.2,0,4-1.8,4-4v-32h-8v28h-48v-48h28v-8h-32l0,0c-2.2,0-4,1.8-4,4v56C14.8,83.3,16.6,85.1,18.8,85.1z"></path> <polygon fill="currentColor" points="45.7,48.7 51.3,54.3 77.2,28.5 77.2,37.2 85.2,37.2 85.2,14.9 62.8,14.9 62.8,22.9 71.5,22.9"></polygon></svg> <span class="sr-only">(opens new window)</span></span></a></p> <div class="language- line-numbers-mode"><pre class="language-text"><code>C:\Users\daniel10&gt;fscan.exe -h 192.168.7.1-255 -p 22,445
   ___                              _
  / _ \     ___  ___ _ __ __ _  ___| | __
 / /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__|   &lt;
\____/     |___/\___|_|  \__,_|\___|_|\_\
                     fscan version: 1.5.1
scan start
(icmp) Target '192.168.7.7' is alive
(icmp) Target '192.168.7.110' is alive
(icmp) Target '192.168.7.107' is alive
icmp alive hosts len is: 3
192.168.7.110:445 open
192.168.7.7:445 open
192.168.7.107:445 open
192.168.7.110 CVE-2020-0796 SmbGhost Vulnerable
192.168.7.110  (Windows 10 Pro 18363)
[+] 192.168.7.7 MS17-010        (Windows Server 2008 R2 Datacenter 7601 Service Pack 1)
[+] 192.168.7.107       MS17-010        (Windows 7 Professional 7601 Service Pack 1)
scan end

</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br><span class="line-number">7</span><br><span class="line-number">8</span><br><span class="line-number">9</span><br><span class="line-number">10</span><br><span class="line-number">11</span><br><span class="line-number">12</span><br><span class="line-number">13</span><br><span class="line-number">14</span><br><span class="line-number">15</span><br><span class="line-number">16</span><br><span class="line-number">17</span><br><span class="line-number">18</span><br><span class="line-number">19</span><br><span class="line-number">20</span><br><span class="line-number">21</span><br></div></div><h2 id="_13、nmap">13、Nmap <a href="#_13、nmap" class="header-anchor">#</a></h2> <p>提到扫描自然不能少了 nmap，nmap 支持多种协议的扫描，具体如下：</p> <div class="language- line-numbers-mode"><pre class="language-text"><code>ARP 扫描：			nmap -PR -sn 192.168.7.0/24
ICMP 扫描：		nmap ‐sP ‐PI 192.168.7.0/24 ‐T4
ICMP 扫描：		nmap ‐sn ‐PE ‐T4 192.168.7.0/24
SNMP 扫描：		nmap -sU --script snmp-brute 192.168.7.0/24 -T4
UDP 扫描：			nmap -sU -T5 -sV --max-retries 1 192.168.7.7 -p 500
NetBIOS 扫描：	nmap --script nbstat.nse -sU -p137 192.168.7.0/24 -T4
SMB 扫描：			nmap ‐sU ‐sS ‐‐script smb‐enum‐shares.nse ‐p 445 192.168.7.0/24
……
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br><span class="line-number">7</span><br><span class="line-number">8</span><br></div></div><h2 id="_14、msf">14、MSF <a href="#_14、msf" class="header-anchor">#</a></h2> <p>除了 Nmap 之外，万能的 MSF 自然也不能少，MSF 能够进行主机存活探测的模块如下：</p> <div class="language- line-numbers-mode"><pre class="language-text"><code>auxiliary/scanner/discovery/udp_probe
auxiliary/scanner/discovery/udp_sweep
auxiliary/scanner/discovery/arp_sweep
auxiliary/scanner/netbios/nbname
auxiliary/scanner/snmp/snmp_enum
auxiliary/scanner/smb/smb_version
……
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br><span class="line-number">7</span><br></div></div><p>除了上述工具外，还有 netdiscover、snscan 等工具可用于内网主机存活探测，在这其中有些工具因为使用起来感觉探测的不是很理想等原因，在此就不记录了，如果读者感兴趣的话可自行尝试玩玩。</p> <p>参考文章：</p> <blockquote><p><a href="https://soapffz.com/sec/21.html" target="_blank" rel="noopener noreferrer">https://soapffz.com/sec/21.html<span><svg xmlns="http://www.w3.org/2000/svg" aria-hidden="true" focusable="false" x="0px" y="0px" viewBox="0 0 100 100" width="15" height="15" class="icon outbound"><path fill="currentColor" d="M18.8,85.1h56l0,0c2.2,0,4-1.8,4-4v-32h-8v28h-48v-48h28v-8h-32l0,0c-2.2,0-4,1.8-4,4v56C14.8,83.3,16.6,85.1,18.8,85.1z"></path> <polygon fill="currentColor" points="45.7,48.7 51.3,54.3 77.2,28.5 77.2,37.2 85.2,37.2 85.2,14.9 62.8,14.9 62.8,22.9 71.5,22.9"></polygon></svg> <span class="sr-only">(opens new window)</span></span></a></p> <p><a href="https://micro8.gitbook.io/micro8/contents-1" target="_blank" rel="noopener noreferrer">https://micro8.gitbook.io/micro8/contents-1<span><svg xmlns="http://www.w3.org/2000/svg" aria-hidden="true" focusable="false" x="0px" y="0px" viewBox="0 0 100 100" width="15" height="15" class="icon outbound"><path fill="currentColor" d="M18.8,85.1h56l0,0c2.2,0,4-1.8,4-4v-32h-8v28h-48v-48h28v-8h-32l0,0c-2.2,0-4,1.8-4,4v56C14.8,83.3,16.6,85.1,18.8,85.1z"></path> <polygon fill="currentColor" points="45.7,48.7 51.3,54.3 77.2,28.5 77.2,37.2 85.2,37.2 85.2,14.9 62.8,14.9 62.8,22.9 71.5,22.9"></polygon></svg> <span class="sr-only">(opens new window)</span></span></a></p> <p><a href="https://www.cnblogs.com/xiaozi/p/13722474.html" target="_blank" rel="noopener noreferrer">https://www.cnblogs.com/xiaozi/p/13722474.html<span><svg xmlns="http://www.w3.org/2000/svg" aria-hidden="true" focusable="false" x="0px" y="0px" viewBox="0 0 100 100" width="15" height="15" class="icon outbound"><path fill="currentColor" d="M18.8,85.1h56l0,0c2.2,0,4-1.8,4-4v-32h-8v28h-48v-48h28v-8h-32l0,0c-2.2,0-4,1.8-4,4v56C14.8,83.3,16.6,85.1,18.8,85.1z"></path> <polygon fill="currentColor" points="45.7,48.7 51.3,54.3 77.2,28.5 77.2,37.2 85.2,37.2 85.2,14.9 62.8,14.9 62.8,22.9 71.5,22.9"></polygon></svg> <span class="sr-only">(opens new window)</span></span></a></p> <p><a href="https://www.cnblogs.com/-mo-/p/11908260.html" target="_blank" rel="noopener noreferrer">https://www.cnblogs.com/-mo-/p/11908260.html<span><svg xmlns="http://www.w3.org/2000/svg" aria-hidden="true" focusable="false" x="0px" y="0px" viewBox="0 0 100 100" width="15" height="15" class="icon outbound"><path fill="currentColor" d="M18.8,85.1h56l0,0c2.2,0,4-1.8,4-4v-32h-8v28h-48v-48h28v-8h-32l0,0c-2.2,0-4,1.8-4,4v56C14.8,83.3,16.6,85.1,18.8,85.1z"></path> <polygon fill="currentColor" points="45.7,48.7 51.3,54.3 77.2,28.5 77.2,37.2 85.2,37.2 85.2,14.9 62.8,14.9 62.8,22.9 71.5,22.9"></polygon></svg> <span class="sr-only">(opens new window)</span></span></a></p> <p><a href="https://blog.csdn.net/weixin_42918771/article/details/108798729" target="_blank" rel="noopener noreferrer">https://blog.csdn.net/weixin_42918771/article/details/108798729<span><svg xmlns="http://www.w3.org/2000/svg" aria-hidden="true" focusable="false" x="0px" y="0px" viewBox="0 0 100 100" width="15" height="15" class="icon outbound"><path fill="currentColor" d="M18.8,85.1h56l0,0c2.2,0,4-1.8,4-4v-32h-8v28h-48v-48h28v-8h-32l0,0c-2.2,0-4,1.8-4,4v56C14.8,83.3,16.6,85.1,18.8,85.1z"></path> <polygon fill="currentColor" points="45.7,48.7 51.3,54.3 77.2,28.5 77.2,37.2 85.2,37.2 85.2,14.9 62.8,14.9 62.8,22.9 71.5,22.9"></polygon></svg> <span class="sr-only">(opens new window)</span></span></a></p> <p><a href="https://blog.csdn.net/qq_45366449/article/details/113650656" target="_blank" rel="noopener noreferrer">https://blog.csdn.net/qq_45366449/article/details/113650656<span><svg xmlns="http://www.w3.org/2000/svg" aria-hidden="true" focusable="false" x="0px" y="0px" viewBox="0 0 100 100" width="15" height="15" class="icon outbound"><path fill="currentColor" d="M18.8,85.1h56l0,0c2.2,0,4-1.8,4-4v-32h-8v28h-48v-48h28v-8h-32l0,0c-2.2,0-4,1.8-4,4v56C14.8,83.3,16.6,85.1,18.8,85.1z"></path> <polygon fill="currentColor" points="45.7,48.7 51.3,54.3 77.2,28.5 77.2,37.2 85.2,37.2 85.2,14.9 62.8,14.9 62.8,22.9 71.5,22.9"></polygon></svg> <span class="sr-only">(opens new window)</span></span></a></p> <p><a href="https://pingmaoer.github.io/2020/03/30/%E5%86%85%E7%BD%91%E4%BF%A1%E6%81%AF%E6%94%B6%E9%9B%86%E4%B8%80/" target="_blank" rel="noopener noreferrer">https://pingmaoer.github.io/2020/03/30/%E5%86%85%E7%BD%91%E4%BF%A1%E6%81%AF%E6%94%B6%E9%9B%86%E4%B8%80/<span><svg xmlns="http://www.w3.org/2000/svg" aria-hidden="true" focusable="false" x="0px" y="0px" viewBox="0 0 100 100" width="15" height="15" class="icon outbound"><path fill="currentColor" d="M18.8,85.1h56l0,0c2.2,0,4-1.8,4-4v-32h-8v28h-48v-48h28v-8h-32l0,0c-2.2,0-4,1.8-4,4v56C14.8,83.3,16.6,85.1,18.8,85.1z"></path> <polygon fill="currentColor" points="45.7,48.7 51.3,54.3 77.2,28.5 77.2,37.2 85.2,37.2 85.2,14.9 62.8,14.9 62.8,22.9 71.5,22.9"></polygon></svg> <span class="sr-only">(opens new window)</span></span></a></p></blockquote></div> <footer class="page-edit"><!----> <div class="last-updated"><span class="prefix">上次更新:</span> <span class="time">12/18/2021, 12:46:42 PM</span></div></footer> <div class="page-nav"><p class="inner"><span class="prev"><a href="/knowledge/hw/agent.html" class="prev"><i aria-label="icon: left" class="anticon anticon-left"><svg viewBox="64 64 896 896" focusable="false" data-icon="left" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M724 218.3V141c0-6.7-7.7-10.4-12.9-6.3L260.3 486.8a31.86 31.86 0 0 0 0 50.3l450.8 352.1c5.3 4.1 12.9.4 12.9-6.3v-77.3c0-4.9-2.3-9.6-6.1-12.6l-360-281 360-281.1c3.8-3 6.1-7.7 6.1-12.6z"></path></svg></i>
        构建通道漫游内网
      </a></span> <span class="next"><a href="/knowledge/hw/intradomain-port.html">
        域内主机端口探测方法
        <i aria-label="icon: right" class="anticon anticon-right"><svg viewBox="64 64 896 896" focusable="false" data-icon="right" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M765.7 486.8L314.9 134.7A7.97 7.97 0 0 0 302 141v77.3c0 4.9 2.3 9.6 6.1 12.6l360 281.1-360 281.1c-3.9 3-6.1 7.7-6.1 12.6V883c0 6.7 7.7 10.4 12.9 6.3l450.8-352.1a31.96 31.96 0 0 0 0-50.4z"></path></svg></i></a></span></p></div> </main> <!----></div><div class="global-ui"></div></div>
    <script src="/assets/js/app.f7464420.js" defer></script><script src="/assets/js/2.26207483.js" defer></script><script src="/assets/js/55.87aa8b5d.js" defer></script>
  </body>
</html>